cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
11
Replies

Unable to RDP or Ping to Remote Site

drikilbride
Level 1
Level 1

Hi

We have two ASA'S. One on Site A (asa 5510) and one on Site B (ASA 5505).

I have a VPN Site to Site tunnel connecting both sites which is working away fine. Users on the remote site can access servers here on Site A.

My problem is that from Site A I am unable to ping any PC's on Site B or RDP to them. It is essential for our IT Helpdesk to be able to RDP to these machines.

Our internal network on Site A has a 10.255.0.0 255.255.0.0 range. And the remote network has a 192.168.1.0 255.255.255.0 range.

I will upload both configs and maybe someone can shed some light as to why I cant ping or RDP to the remote machines.

Thanks

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

On site B, please remove the following line:

nat (outside) 0 access-list outside_nat0_outbound

And perform "clear xlate" after removing the above.

On site B, please also add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hope that helps.

When I say

no nat (outside) 0 access-list outside_nat0_outbound I get the following error

ERROR: access-list outside_nat0_outbound not bound nat 0

Any ideas?

Strange, because that statement is in your configuration on site B.

What does the output "sh run nat" show you?

If it's not showing that particular line, try "clear xlate" and see if you can RDP or ping to site B.

You might also want to check if "windows firewall" or other PC's firewall is turned on because sometimes they block incoming ping/connection.

Are you able to ping 192.168.1.1 from site A?

This is what I have when I run sh nat

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

Actually when I ping 192.168.1.1 I do get replies, I hadn't tried that until now.

If I try to ping a PC called sph-comp-164 IP 192.168.1.21 ono Site B I get Request Timed Out.

All PC's on that end have firewalls disabled.

Thanks!

Have you added this on site B:

policy-map global_policy
   class inspection_default

      inspect icmp

On Site B I can enter the first two lines but the third throws up the following error. Am I doing something wrong?

If you are on ASDM, please enable it through the following:

Configuration --> Firewall --> Service Policy Rules --> highlight and edit the "inspection_default" rule --> go to "Rule Actions" tab --> enable "ICMP" --> OK --> Apply

Okay I did that, still unable to ping 192.168.1.21

Here is what I can see through the logs. 10.255.251.82 is my PC. Not sure why the 62.77.180.162 address is appearing there.

What ip address does 62.77.180.162 belong to?

Does 192.168.1.21 actually respond to ping?

If you go to command line, and run "debug icmp trace" and ping, what are you seeing?

Also can you pls run "sh run all sysopt" and share the output.

That IP Address belongs to an external email hosting company that we use and they come through the ASA on site A. I blanked that out of Site A's config. Just not sure why it is appearing on SITE B's ASA.

When I ping 192.168.1.21 I simply get request timed out.

Here is the result from sysopt.

Unfort the ASDM wont allow me run debug commands from it.

As far as configuration on site B is concern, it seems to be correct.

You might want to try pinging other ip addresses in the 192.168.1.x subnet. If you can ping the ASA inside interface 192.168.1.1 that means the crypto configuration is correct and the ping actually does come from site A towards site B.

Seems to be something local to your LAN subnet.

If you have a switch with SVI on the 192.168.1.x subnet, try to ping that and see if it works. Normally network device like switch or router replies to ping if no access-list is blocking it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: